Tuesday, September 18, 2007


Originally uploaded by Mr Snootyhamper
I got a nice little phishing email today. I don't get too many, and luckily the mail had been filtered by Outlook automatically - the offending item was in my Junk Mail folder.

The message was also forced into plain-text mode, so the fake URL for PayPal was clear, but I decided to paste it into IE7 anyway, just to see how the Phishing Filter handled it. Sadly the website was not automatically recognized as a phishing site (I submitted it, so hopefully it will be recognized soon)

To recognize that this is a phishing page, notice the server address (the stuff after http://) is a weird domain name ending in .co.kr. The :81 is a port number - almost all normal websites won't have this in their URLs. Ignore anything after the '/' following the port - that looks like PayPal, but in fact it can be whatever the bad guy wants.
Incidentally, some phishing sites use server addresses that look more valid, such as www.paypal.somefunkyname.co.kr.

The phishing page is pretty brazen. First you have to "log in" with your email and password (anything you enter will be accepted). Then you are prompted to hand over all your private information: name, address, DOB, phone, credit card number + CVV2 and ATM pin. Why anyone would give their ATM PIN to a website purporting to be PayPal I don't know - perhaps the phishing folks just though they might get lucky?

They also ask for the last six digits of your SSN - I guess they don't ask for the whole thing since people are used to entering the last few digits only, and think this is safe. No-one apart from your employer and the IRS should ever need your SSN - even the last four digits! (And I think with the last six digits, the bad guys can figure out the remainder based on your ZIP code/State of residence).

I hope people now know to never enter this sort of personal information on a website - especially one linked to in an email.

No comments: